Update to jQuery 3.4.1 to resolve XSS issues with jQuery 3.3.1

[TheWitness]

Describe the bug
As reported in the media, jQuery less than version 3.4 versions have an XSS vulnerability. Therefore we need to update the Cacti release of jQuery. One such example article is here: https://snyk.io/blog/84-percent-of-all-websites-impacted-by-jquery-xss-vulnerabilities/

Expected behavior
Cacti should be a secure as possible.

[TheWitness]

@paulgevers, @DavidLiedke, @mortenstevens, you guys should be aware of this one. Release to 1.2.11 pending.

[TheWitness]

Commit was here: fc54d28

[paulgevers]

@TheWitness thanks for the heads up.

I believe that the Debian users of Cacti had the fix since around April 2019, see Debian bug #927385. Ubuntu probably (didn't check) as well.

[netniV]

So we are playing catchup with you guys then. I wonder if @mortenstevens is the same?

[mortenstevens]

Fedora / RHEL Updates:

Fedora 30: https://bodhi.fedoraproject.org/updates/FEDORA-2020-70fa57d566
Fedora 31: https://bodhi.fedoraproject.org/updates/FEDORA-2020-c1745db1aa
Fedora 32: https://bodhi.fedoraproject.org/updates/FEDORA-2020-788dd52289

RHEL 7: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-34295ace88
RHEL 8: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-8fcf741d7f

[netniV]

Thanks for the links @mortenstevens, are you requiring a minimum level of jQuery as Paul does? I couldn't see from what I looked at but I only took a quick glance.

[mortenstevens]

@netniV
We are using the bundled jquery as shipped with cacti and it's set to 3.4.1 in the RPM spec file.
See https://src.fedoraproject.org/rpms/cacti/c/aeacf313ca09c6506f136eac18ce46390892b4b1?branch=master

[netniV]

OK thanks. That clears that up. I think that Paul references the system wide jQuery which is why I asked the question 👍

[TheWitness]

Awesome @mortenstevens. Fast and fresh.

[paulgevers]

@netniV yes, in Debian and Ubuntu we're using the system wide jQuery, and indeed the bug I mentioned was the fix in jQuery, not in Cacti itself.